David Newall wrote: > On 01/01/18 04:58, Emmanuel Deloget wrote: >> The idea of removing weak ciphers from a widely used piece of software is >> a good one - that way, you strengthen the whole ecosystem. Going the >> reverse path would simply make less informed people be the weak link >> of the >> Internet, putting possibly many more at risk. > > This doesn't make the Internet more secure because people aren't about > to throw away expensive equipment just because the latest openssh throws > a hissy fit. They'll use an alternative. Perhaps the alternative will > be an older, less secure version of openssh. Perhaps it will be even > less secure telnet. They will continue to use their still-good > equipment, and so they should. Hmm, if the vendor does not provide updates to more recent cipher strengths (already available for many years!) then it's very questionable whether the equipment is "still-good". Did you even try to ask the equipment's vendor for an update? If yes, what was the outcome? If there are no updates and being in your situation I would be really concerned about other security issues buried in such unmaintained systems. And most of my customers have a policy to sort out components not maintained by the vendor anymore. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev